Digital Transactions Authoritative, insightful and timely information for payments professionals
A well-crafted email message from an executive can cause employees to take swift action. That’s just what criminals hope for when they send phishing messages that purport to be from senior executives to more junior ones, says Scott Montgomery, vice president and chief technical strategist at Intel Security, the data-protection unit of Intel Corp.
The number of transactions involving criminals using C-level sway as part of money-transfer requests is growing, Montgomery tells Digital Transactions News. “These messages have the tone, cadence, and payment size a CEO might authorize,” Montgomery says. Criminals use email because it’s remote, anonymous, and lucrative, he says. Intel Security owns McAfee, a popular antivirus and online security service.
Criminals prey on employee allegiance to executives to scam companies out of millions of dollars, Montgomery says. While phishing is a long-time issue, the sophistication of the criminal efforts is growing, he says. Indeed, in an online quiz Intel Security conducted last year, only 3% of more than 19,000 visitors correctly identified all 10 emails presented in the quiz as phishing attempts. The worldwide average score of 65.4% meant participants missed one in four phishing emails on average.
Considering that performance, the impetus for preventing payments scams via phishing email rests on better internal controls within companies, Montgomery says. “Email is really convenient, but email and fixed passwords and some legacy technologies are easy to use in fooling teammates,” he says. Internal controls need to be tightened up so criminal activity is not so easy or convenient, he adds.
Indeed, payments fraud appears to be on the rise, with 73% of companies in a recent Association for Financial Professionals Inc. study reporting actual or attempted payments fraud in 2015. It was 62% in 2014.
The study found that fraudulent wire transfers—a coveted type of activity by phishers, Montgomery says—spiked to 48% last year, up from 3% in 2009.
Better internal controls might help catch illegitimate emails, but one problem is the sheer volume of attempts. Just for the fourth quarter of 2015 alone, the Anti-Phishing Working Group Inc. reported 194,499 unique email campaigns in October, 105,233 in November, and 80,548 in December. Such volume betokens an automated service, Montgomery says.
He points to a panel at the Network Branded Prepaid Card Association conference last week he shared with with an FBI representative who, according to Montgomery, said the agency relies on automated software to track and check suspicious activity reports.
Payments companies also should factor in the use of personal mobile devices many of their employees use, Montgomery says. Organizations need to use technology that uses geolocation, device tracking, and other data as part of their vetting program.
Awareness will help, too, he says. “Practice doesn’t make perfect in this game,” he says. “Practice makes habit.” Habit, or best practices, can do a lot to curtail successful phishing attempts, he adds.
